IDGNet Virus & Security Watch Thursday 17 April 2003

This issue's topics: Introduction: * Critical Windows, OS X, Oracle patches, Group Wise 6 update Virus News: * Another one bites the dust... Security News: * Patch for privilege elevation in Windows kernel * Novell Group Wise 6 Support Pack includes security fix * Multiple security fixes in Mac OS X 10.2.5 update * Critical file exposure flaw in Oracle E-Business Suite & Applications

This issue's topics:

Introduction:

* Critical Windows, OS X, Oracle patches, Group Wise 6 update

Virus News:

* Another one bites the dust...

Security News:

* Patch for privilege elevation in Windows kernel

* Novell Group Wise 6 Support Pack includes security fix

* Multiple security fixes in Mac OS X 10.2.5 update

* Critical file exposure flaw in Oracle E-Business Suite & Applications

Introduction:

A quiet week for security announcements bodes well for the long weekend with our system and network administrators possibly being able to take a break! There is nothing of great import to announce on the virus front again this week and few major vulnerabilities needing patching. The latest OS X patches from Apple include fixes for several recent critical vulnerabilities in some Unix-ish applications and the Oracle E-Business Suite admins have a critical file exposure vulnerability to deal with. The Windows kernel patch described below may be of critical severity, depending on how your machines are used (shared vs. single-user) and the Group Wise Support Pack fixes a potential denial of service in authenticated SMTP.

Remember, next week 'the Watch' will also be delivered on Thursday because of Anzac Day.

Virus News:

* Another one bites the dust...

Things must be getting better.

OK, aside from the usual background noise of really old self-mailing viruses such as Klez, Sircam, Sobig and Yaha (which don't pose any threat to companies or individuals with modestly up-to-date virus scanners), we are now into the third successive week in April without any viruses of any significance to report. Unlike last week, four minor new entries have appeared in the MessageLabs 'Threatlist', but in total they account for 43 detections. Compared to Klez.H's close to quarter of a million detects so far this month (which we now consider 'background noise') it seems these are unlikely to cause much of a sniffle...

Security News:

* Patch for privilege elevation in Windows kernel

All currently supported versions of NT-based operating systems (NT 4.0, Windows 2000 and XP) contain a vulnerability in the OS kernel that can allow privilege elevation. A buffer overflow in the kernel code that handles the dispatch of debugger messages is exploitable, allowing anyone with interactive logon access to such a machine the ability to run a program that could increase their privileges or perform other actions on the machine with the privileges of the local system account.

Microsoft rates this as an 'important', rather than 'critical' severity vulnerability because systems exercising best practice rules of least privilege should have very restricted interactive logon rights to the most critical machines in a network, such as domain controllers, web, file and print servers, etc.

However, depending on the nature of your users and their roles within the organization, this may be a critical flaw. For example, systems where machines are shared among users and inter-user privilege separation is important are fundamentally broken by the ability of a user being able to get local system privileges and install a key-logger which would then give them other users' account names and passwords.

The flaw affects all types of affected system software - workstation, server and terminal server.

Note: Just before posting this issue of the newsletter the NTBugtraq mailing list moderator pointed out that Windows 2000 SP2 users should be wary of this update if affected by one of the post-SP2 hotfix problems that affect MS03-007. It appears that the patch for MS03-013 contains the NTDLL.DLL fix from MS03-013 despite this (and several other updated files) not being mentioned in the file manifest in the associated KnowledgeBase article. We have included a link to that NTBugtraq message as well, in case any of our readers are affected by this SP2/MS03-007 interaction problem.

Archived NTBugtraq list message - ntbugtraq.com

Microsoft Security Bulletin MS03-013

* Novell Group Wise 6 Support Pack includes security fix

Amongst the patches and feature upgrades included in Support Pack 3 for Group Wise 6 is a patch fixing a remotely exploitable denial of service against SSL-authenticated SMTP connections.

At a shade over 300 MB, the option of ordering the Support Pack on CD

may be preferable to the download option...

GroupWise 6 Support Pack 3 English Only - novell.com

* Multiple security fixes in Mac OS X 10.2.5 update

OS X administrators should remember that their OS now has strong Unix-ish roots and many vulnerabilities in Unix-based programs we report are also likely to apply to the OS X versions of the softeare. The latest OS X update release highlights this with its inclusion of fixes for several of the 'big' Unix vulnerabilities of the last few weeks. Top among these, at least in terms of severity, are the Sendmail 'parseaddr.c' and Samba 'call_trans2open' buffer overflows.

Also included are fixes for the OS X-specific DirectoryServices privilege escalation discovered by @Stake security researchers.

Users who have all systems up to date with the OS X 10.2.4 release need only obtain the 'delta' update, which is approximately 38 MB. Users needing to update a broader range of base OS X installations must get the full or 'combination' update which is approximately 80 MB. Download pages for both update packages are linked below. A CD containing both sets of update files can also be ordered.

MacOS X DirectoryService Privilege Escalation - atstake.com

Mac OS X 10.2.5 Delta Update - apple.com

Mac OS X 10.2.5 Combo Update - apple.com

* Critical file exposure flaw in Oracle E-Business Suite & Applications

Integrigy security researchers have discovered that the Report Review Agent (RRA/FNDFS), included in the Oracle E-Business Suite 11i and Oracle Applications 10.7 and 11.0, can be used to retrieve any file from Oracle Applications Concurrent Manager servers. This can be achieved bypassing all layers of application, database management and operating system authentication.

Oracle has released updates and its advisory on this issue includes links to best practices guidelines for those running its E-Business Suite to minimize exposure such vulnerabilities.

Oracle E-Business Suite FNDFS Vulnerability - integrigy.com

Report Review Agent Vulnerability in E-Business Suite - oracle.com (PDF)

Join the newsletter!

Error: Please check your email address.

More about AppleDeltaMessageLabsMicrosoftNovellOracle

Show Comments

Market Place

[]